So says Jim Bird, the CTO for BiDS Trading, a trading platform for institutional investors. Jim continued, "DevOps teams can move really fast...maybe too fast? This is a significant challenge for operations and security. How do you identify and contain risks when decisions are being made quickly and often by self-managing delivery teams? CABs, annual pen tests, and periodic vulnerability assessment are quickly made irrelevant. How can you prove compliance when developers are pushing their own changes to production?"

Jim was presenting at the 2018 Nexus User Conference on Continuous Delivery. Pulling on his 20+ years of experience in development, operations, and security in highly regulated environments, Jim laid how and why Continuous Delivery reduces risk and how you can get some easy wins toward making it more secure.

As Jim points out, it reduces risk because:

Breaking work down and delivering it incrementally reduces delivery costs and risks

Continuous Delivery takes care of the critical "last mile" of production

Change becomes routine

Change becomes cheap, because teams can afford to make more small bets, iterate, and learn

Change becomes fast. Teams can push fixes out quickly to respond to failures or security threats.

To make Continuous Delivery secure without getting in the delivery team's way, Jim outlines a few key points:

Understand the team's workflow and tool-chain - work the way that they work

Address real risks and threats - problems that everyone agree are important and relevant

Take an incremental, iterative approach

Provide useful, quick, and continuous feedback to the team and to management

1. Automated Safety Checks in Your Pipelines

Why? Because you are making changes often, it is easier to make mistakes. You need simple, fast checks that find them before the bad guys. This makes auditors happy because they can see that policies are being enforced.

How? Add tests/assets for common mistakes to the end of the automated build/deploy pipeline in test and production. This includes: default/missing credentials; SSL and HTTPS settings; known critical vulnerabilities; file and user permission, and, open ports.

Tools and frameworks available include:

Netflix Security Monkey, Conformity Monkey

Gauntit

OWASP ZAP Baseline Scan

OSQuery

InSpec

Cloud services like AWS Inspector

2. Lightweight Risk Assessments

Why? Teams are making decisions quickly, so you want them to be able to do this safely and to look for potential new risks upfront before coding starts. You get security/compliance stories into the backlog so that they can be planned for, and so you can find the right tools, libraries, and frameworks. It also makes the risks visible to the teams and management.

3. Security Unit Tests

Why? These prove that vulnerabilities are being fixed correctly. They teach developers how to "step off of the happy path" in their testing, and it will catch/prevent regressions. Normal tests prove it works, not that it might not work, and developers need to write happy tests, sad tests, and bad tests.

How? As you find vulnerabilities, write a test first so you can prove it exists. Then, have developers fix it and then run the test again. They can use tools such as JUnit, NUnit, and Jasmine.

4. Secure the Software Supply Chain

Why? Third-party code injects risk and security vulnerabilities and technical debt: known security vulnerabilities; abandoned and out-of-date code; and, license risks. It is relatively easy, there is some lifting at the front, but, once you do it, you have a nice control set going forward.

How? Get a tool to automatically catalog dependencies and check against vulnerability databases. Integrate it into the Continuous Delivery pipeline and fail builds on serious problems.

5. Self-Service Code Scanning

Why? Automated static analysis scanners can catch common coding mistakes and bad practices. This is the only way to cover large code bases, and it backstops code reviews because reviewers won't waste time on superficial and subtle coding problems. It fits naturally into workflows and results can be fed directly back to developers.

How? Focus on high-risks and high-fidelity rules. Accuracy and speed is more important than completeness in Continuous Integration/Continuous Delivery. Tools include:

And speaking of everyone, if you're part of an organization with 20+ people that want to attend the conference (again, it's free!) then you should consider joining the Club 20 program so that you might get your company logo added to the ADDO site. Check out some of the Club 20 participants here and consider joining them.